Ivanti: Updates against critical leaks in Endpoint Manager and other products
Ivanti fixes vulnerabilities in Endpoint Manager, Workspace Control and Cloud Service Appliance. A vulnerability in EPM achieves the highest rating of CVSS 10.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Ivanti has discovered security vulnerabilities, some of them critical, in several products. Updates to correct the security-relevant errors are available for Ivanti's Endpoint Manager, Workspace Control and Cloud Service Appliance. A vulnerability in Ivanti's Endpoint Manager has achieved the highest possible threat rating of critical with a CVSS score of 10.0.
Ivanti's Endpoint Manager (EPM) was hit the hardest. The available updates correct a total of 16 security vulnerabilities. Of these, Ivanti's developers classify ten as critical security risks, two as high and four as medium. The most serious vulnerability allows attackers to inject malicious code from the network without prior authentication, which is due to the deserialization of untrusted data (CVE-2024-29847, CVSS 10.0, risk"critical"). The versions 2022 SU6 and the September update for EPM 2024 seal these security leaks. The security message from Ivanti links to the corrected files and explains how to install them.
Ivanti: Other products with security vulnerabilities
Ivanti has reported another vulnerability in the Cloud Service Appliance (CSA). Attackers registered on the system can inject commands into the operating system due to a vulnerability and thus smuggle in and execute malicious code from the network (CVE-2024-8190, CVSS 7.2, high). The versions CSA 4.6 Patch 519 and CSA 5.0 correct the problems. Ivanti links update instructions in the security message.
Videos by heise
Ivanti also warns of six high-risk security vulnerabilities in the Workspace Control software (IWC). Contrary to the CVSS rating, Ivanti apparently classifies some of these as critical. According to Ivanti's developers, attackers can extend their rights and move further into the network ("lateral movement"). However, they caveat that IWC is not intended to be accessible on the Internet and attackers would need admin rights to do so. Ivanti IWC 10.18.99.0 closes the security gaps and Ivanti also provides a link to upgrade instructions.
IT managers should install the updates quickly for all affected products due to the severity of the vulnerabilities.
Ivanti last closed a vulnerability in Virtual Traffic Manager in August that allowed unauthenticated attackers to create admin accounts and completely compromise vulnerable instances. In the months leading up to this, software patches were also repeatedly released to fix vulnerabilities in Ivanti's Endpoint Manager, some of which were critical. Exploits have also emerged for these vulnerabilities, which cybercriminals can add to their arsenal of attack tools.
(dmk)
